The General Data Protection Law (LGPD – Lei Geral de Proteção de Dados Pessoais) came into force on September 18, 2020. As the first comprehensive legislation focused on personal data processing in all sectors of the economy, the LGPD represents a substantial change in Brazilian law.
Although the LGPD was inspired by the European Union’s General Data Protection Regulation (GDPR), including in its extraterritorial effects, the two pieces of legislation are not identical, and in fact, they have notable differences. In other words, compliance with the GDPR does not equate to compliance with the LGPD.
Six months after the LGPD came into effect, both lessons and challenges have emerged.
Privacy as a competitive differential
Businesses of all sizes, especially multinational companies doing business in Brazil, have seen that compliance with privacy and data protection rules provides a competitive edge. The subject has become a true “hot topic” in Brazil, driven by individuals’ concerns over the protection of their privacy.
There is a growing local movement that recognizes value in companies that have already come into compliance with the LGPD and demonstrate real concern over their customers’ personal data. Companies that have put LGPD compliance programs in place are also moving forward on revising their contracts with suppliers and commercial partners, and even terminating contracts with organizations that cannot show they too comply with the new legislation.
Action by regulatory authorities
The National Data Protection Authority (ANPD – Autoridade Nacional de Proteção de Dados) was set up at the end of 2020. The ANPD is responsible for issuing regulations under the LGPD and for enforcing the Law. Although the administrative penalties provided for under the LGPD can only be applied starting August 1, 2021, both the ANPD and other regulatory authorities have conducted investigations into violations of the LGPD and other Brazilian laws that deal with data protection and privacy.
In particular, consumer protection agencies such as the Public Prosecutors’ Offices, the state consumer protection entities (PROCONs), and the National Consumer Department (Senacon) have made strong efforts in data protection and privacy matters, and have begun investigations into all significant data breaches in recente months that had an impact in Brazil. And while the LGPD’s penalties only come into effect in August of this year, that does not prevent regulatory authorities from applying sanctions under other legislation, such as the Consumer Defence Code and the Internet Bill of Rights.
Litigation based on the LGPD
The LGPD provides that data subjects can bring lawsuits against data controllers and processors for violating the legislation, claiming damages for both economic and non-economic losses caused by the violation. Litigation based on the LGPD began within the first few days after the legislation came into force.
Six months into the LGPD, there are already hundreds of cases before the courts. In some situations, such as personal data breaches, a new type of mass litigation has begun to appear, with numerous claims made by data subjects against the same company, usually seeking damages for non-economic injury.
Cyber attacks
With the spread of the pandemic and forced digitalization of many businesses, the number of security incidents and cyber attacks has increased exponentially over the last few months.
The sophistication of the attacks has also increased significantly. Businesses have been facing complex challenges in improving their technological structures and ensuring the security of the data they process.
Compliance with the LGPD is an essential step in preventing major risks associated with security incidents involving personal data. To learn more about the requirements related to security incidents under the LGPD, consult our guide on how to react to personal data breaches.